Bug 201059 - net/freeradius3: [security] FreeRADIUS insufficent CRL application (CVE-2015-4680)
Summary: net/freeradius3: [security] FreeRADIUS insufficent CRL application (CVE-2015-...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ryan Steinmetz
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-22 22:06 UTC by Jason Unovitch
Modified: 2015-07-13 10:07 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (zi)


Attachments
security/vuxml for freeradius CVE-2015-4680 (2.08 KB, patch)
2015-07-13 02:03 UTC, Jason Unovitch
junovitch: maintainer-approval? (ports-secteam)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-06-22 22:06:07 UTC
Seen today on oss-security mailing list:
http://www.ocert.org/advisories/ocert-2015-008.html
Comment 1 Ryan Steinmetz freebsd_committer freebsd_triage 2015-06-23 05:56:16 UTC
I will update the ports once the fixed versions have been released.  As of minutes ago, they are not yet out.
Comment 2 Jason Unovitch freebsd_committer 2015-07-13 02:03:30 UTC
Created attachment 158676 [details]
security/vuxml for freeradius CVE-2015-4680

Follow up with a VuXML entry.  This covers this PR and bug 201058.  

Ryan it looks like the updated release came out just before the weekend.  See http://freeradius.org/press/index.html#3.0.9


== VUXML VALIDATION == 
% make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius3-3.0.8
freeradius3-3.0.8 is vulnerable:
freeradius -- insufficent CRL application vulnerability
CVE: CVE-2015-4680
WWW: https://vuxml.FreeBSD.org/freebsd/379788f3-2900-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius3-3.0.9
0 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius2-2.2.7
freeradius2-2.2.7 is vulnerable:
freeradius -- insufficent CRL application vulnerability
CVE: CVE-2015-4680
WWW: https://vuxml.FreeBSD.org/freebsd/379788f3-2900-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius2-2.2.8
0 problem(s) in the installed packages found.
Comment 3 commit-hook freebsd_committer 2015-07-13 04:21:35 UTC
A commit references this bug:

Author: feld
Date: Mon Jul 13 04:21:16 UTC 2015
New revision: 391877
URL: https://svnweb.freebsd.org/changeset/ports/391877

Log:
  Document freeradius vulnerability

  PR:		201059
  Security:	CVE-2015-4680

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Ryan Steinmetz freebsd_committer freebsd_triage 2015-07-13 05:32:26 UTC
net/freeradius3 updated to 3.0.9
Comment 5 Jason Unovitch freebsd_committer 2015-07-13 10:07:28 UTC
Thanks.  We should just need an MFH to 2015Q3 of the 3.0.8 -> 3.0.9 update then PR is ready for close.